Hi guys,
A few musing on this subject. If we're to assume that the connection is using SSL/TLS, which it seems that it is, then we have to ask a few questions about the configuration of public / private keys.
1) Which end has the private key?
Is the private key stored on the DS itself or on Nintendo's server. Both have pros and cons as far as Nintendo is concerned. If the private key is on the DS, then the Nintendo server can be sure that the information it's receiving is from the DS and nothing else. And if the private key is on the Nintendo server, then the DS can be sure that it's conversing with the Nintendo server.
2) Is there just one public / private keyset?
Highly highly unlikely. Each DS would have a unique key with the corresponding key located on the Nintendo server. This would allow Nintendo to differentiate between DS consoles based on the keyset.
3) Assuming the above, when is the keyset generated?
Easy question. The keyset must surely be generated the first time you connect to the Nintendo WiFi system and then the DS's key stored on the cartridge (or possibly internal memory). Start up Pokemon, go into "Nintendo WFC Settings", then "Options", then "System Information". Here we have the MAC address of the DS (which could be used as the key password) and the "Nintendo Wi-Fi Connection ID", which I would say is linked to the key on that system.
If you erase the connection settings, the next time you try to connect to the Nintendo server, it will regenerate this with a new number (and also erase your PalPad friends).
4) How do we intercept keys?
We need to try intercepting traffic at the stage when you first connect to the Nintendo server and see what flies across. This would provide some information as to how it works.
There is also an option called "Transfer Nintendo WFC Configuration" which is used to transfer the configuration from one DS to another. We could also try intercepting this traffic to see what we can see.
However, it's worth noting that it is possible that the keys themselves are not transmitted in plain text, but instead encrypted using previously established master key. In which case... bugger!
Andy